Data protection policy
Boxine Sales DAB GmbH (as the operator of websites tonies.com, including support - tonies.com/support, and our online shop - tonies.com/shop) and Boxine GmbH (as the operator of website my.tonies.com) take the protection of your personal data very seriously and ensure the safeguarding of your privacy.
We handle your personal data confidentially and in accordance with the statutory data protection regulations (in particular the EU General Data Protection Regulation [GDPR] and the Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG]) and this data protection statement.
In order to guarantee that you are informed to the full extent about the collection and use of personal data on our websites, and your rights, please take note of the following information.
Name and address of the controller responsible for processing and who you can contact
The controller within the meaning of the General Data Protection Regulation (GDPR), other applicable data protection laws and other regulations of a data protection nature is the following:
Boxine Sales DAB GmbH
Grafenberger Allee 120
40237 Düsseldorf, Germany
You can reach our data protection officer using the following contact details:
Mr Philipp Herold
23617 Stockelsdorf, Germany
Data use – general
The mere use of our websites for information purposes is generally possible without providing personal data. The case is different if personal data is for the purpose of sending a newsletter requested by you, via our general contact form. More details about the general functions of our system can also be found on our website at tonies.com.
If we collect personal data from you, this will always take place, if possible for the provision of our service, on a voluntary basis. If there is no legal basis for such processing, we will generally obtain permission from you. After you have granted permission for this purpose, you can withdraw it at any time.
The use of your data for our regular marketing purposes and for similar goods and services is not excluded. However, you can object to this use at any time, by sending a notification to firstname.lastname@example.org or the above address, for example.
We would like to point out that data transfer via the internet can always involve security flaws. The complete protection of your data against access by third parties is not possible.
Data use in detail
Server log files
The provider of the sites automatically collects and stores information in so-called server log files, which your browser automatically sends to us. This data is as follows:
- Browser type/browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
- Request authorisation
We cannot match this data to certain people. This data will not be compiled with other data sources. We reserve the right to check this data afterwards, if we become aware of specific indications of unlawful use.
The data is needed to correctly supply the content of our website. When using this general data and information, we do not match it to specific people. Instead, this data/information is needed to (1) supply the content of our websites correctly, (2) optimise the content of our websites and its marketing, (3) guarantee the permanent functioning of our information technology systems and the technology of our websites, and (4) to provide prosecution authorities with the information necessary for prosecution in the event of a cyberattack. This anonymously collected data and information will therefore be analysed statistically and with the objective of increasing data protection and data privacy in our company, in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data in the server log files will be stored separately from all personal data entered by the data subject.
Data use: Toniebox, Tonies and Toniecloud, Toniecloud customer account
Each Toniebox has an individual client certificate ex works, with which it can clearly authenticate itself in the Toniecloud. As well as this client certificate, a Toniebox ID is also stored in the Toniecloud for each Toniebox. This Toniebox ID is also applied on the underside of the Toniebox. During the first activation and when connecting to a new Wi-Fi network, you will be asked to enter the Toniebox IDfor calibration with the Toniecloud. This is to ensure that only authorised Tonieboxes can contact the Toniecloud.
Via the Toniebox-ID, the Toniebox will also be linked to a Toniecloud customer account. For the creation of this account, you need a valid email address, and you can enter additional personal details (first name, surname and gender) and subscribe to the newsletter. You also have to enter your Toniebox-ID, in order to connect your Toniebox to your customer account.
The creation of a Toniecloud customer account is absolutely necessary for the use of the Creative-Tonies, connections to other Toniecloud members, and other functions.
When you use your Toniebox, it will attempt to establish a connection to the Toniecloud in the following events: upon first-time activation, when switching on, when setting up an unknown Tonie, and upon a search for new Tonie content triggered by you. If the connection to the Toniecloud is successful, the Toniebox will send your individual client certificate, your IP address and a time stamp. When you use Tonies and a Toniebox, we will also receive data about operation events (Tonie set up/removed, including the names of the Tonies [e.g. Creative-Tonie or The Gruffallo Tonie], volume changed, rewind and skip, headphones inserted/removed, charging station connected/removed). We thereby want to continuously improve our service and our product for you. The data transfers described above are therefore stored in server log files and can be analysed by us at any time. This data will generally be collected by us anonymously. If you make contact with our customer service and name the Toniebox ID as part of a support request (e.g. because your Toniebox has a technical problem or because a Toniebox and/or a Tonie has/have been lost in transit), the hitherto anonymous data will be linked to any personal data named by you as part of the query. In this case, the customer service staff will actively point this out to you. This enables us to process your support matter, track Tonieboxes or Tonies lost in transit, uncover cases of misuse and rights violations in this regard, and defend ourselves against them. The data thereby linked will be erased as soon as your support request has been processed completely. In cases in which a rights violation is possible, we will store the data until the clarification of the rights violation or, if proceedings have been initiated, until their conclusion, and we will only erase it when we no longer need the data for evidence or legal defence purposes, or due to retention requirements.
Should you set up a Toniecloud customer account and connect your Toniebox to this account using the Toniebox-ID, we can match your customer data with the data described above, and we will therefore be able to tailor our newsletters (if you have decided to receive them) and other advertising measures to you and your individual interests, and continually improve their benefits. If you do not wish for this to happen, you have the opportunity at any time, of course, to deactivate it in your Toniecloud customer account settings (under “My Profile”) or inform us of your decision via email email@example.com) or over the telephone. You will find our contact details above or in the legal notice.
If you upload audio files in the Toniecloud for your Creative-Tonies (via the Tonie smart phone app or via our website), these files will be converted by our server to the required audio format and then provided for playing on the Creative-Tonies. Your originally uploaded data will be automatically deleted after seven days. The converted data will then be located in our Toniecloud. You can upload new data for the desired Creative-Tonie as often as you like; the old data will thereby be deleted and replaced by the new data. We do not store the old data; for technical reasons, however, the converted data is kept for at least seven days after the conversion. We reserve the right to randomly examine the uploaded data to check for any possible violation of applicable law (including copyright law, personality rights and competition law), the applicable jurisdiction, and/or moral standards. Should we discover a violation, we reserve the right to delete the data from our Toniecloud and close your Toniecloud customer account.
If you close your Toniecloud customer account, you have the opportunity to grant another user administration rights before leaving and therefore authorise him/her to continue to use the Toniecloud account. In this case, despite the deletion of the Toniecloud customer account, uploaded data will remain in the Toniecloud.
Data use: Tonie smart phone app and QR code on Toniebox packaging
If you use our Tonie smart phone app, you require a Toniecloud customer account, and you also have to log onto the Tonie smart phone app with your email address and your password before you can use the app. The app enables you to make voice recordings and connect them to a selected Creative-Tonie by uploading them via the app from your smart phone in the Toniecloud.
Finally, we would like to point out that each Toniebox package is provided with a QR code in the factory; this is primarily for internal purposes (ERP system). This information is generally not linked to your customer account. The only case in which this does not apply is when we have sufficient indications of fraud. The QR code would then be linked to your customer account in order to trace Tonieboxes that have not arrived. This is for our protection against rights violations. The personal data thereby used will be erased by us as soon as the suspicion of fraud has failed to be confirmed or as soon as fraud proceedings initiated have been closed, and the data is no longer required for the purposes of evidence and legal defence.
If you contact our customer service staff by telephone, via email to tonies.com/support, or directly, your telephone number and email address, as well as other details you provide to our customer service staff, will be taken, stored and analysed for the purpose of processing your query. This is to enable a response to your query and improve our products and service quality. If, within the framework of such a support query, the Toniebox ID must be named in order to respond to your query, data about operation events that is so far anonymised may be linked to any personal data given by you due to the query. However, the customer service staff will actively point this out to you in such a case before such a link is carried out, and you can refuse at any time, of course.
Newsletter and marketing emails
If you would like to obtain the newsletter offered on our website via email, we require from you an email address and information that enables us to verify that you are the holder of the email address stated and have agreed to receive the newsletter (the verification takes place in a double opt-in process). You can also provide your first and last names, and gender, voluntarily. Other data will not be collected. We will only use this data to send the required information, and we will not pass it on to third parties.
The newsletters we send may contain a tracking pixel – a pixel-sized file that is accessed by our server upon the opening of the newsletter.
We carry out statistical surveys about the above. This includes information about whether the newsletter has been opened and what links have been clicked on. This information may be allocated to the individual newsletter recipients for technical reasons, but it is not our intention to observe individual users. The analyses only enable us to recognise the reading behaviour of our users and adapt our content to you, or to send different content in accordance with the interests of our individual users.
You can withdraw your consent granted to the storage of the data and email address, and its use for the sending of the newsletter, at any time, for example via the “cancel” link in the newsletter or by sending your withdrawal to the address named above or in the legal notice, phoning us or sending an email to firstname.lastname@example.org.
You can also object to the statistical surveying and analysis via the tracking pixels separately using the address named above or in the legal notice, or by sending an email to email@example.com.
Most of the cookies used by us are so-called “session cookies”. They are automatically deleted after the end of your visit. Other cookies will remain stored on your end device until you delete them. These cookies enable us to recognise your browser upon your next visit, in order to make our websites more user-friendly. The following data in particular is stored and sent in such cookies: items in the shopping cart and log-in information.
You can set your browser so that you are informed about the placing of cookies, and only allow cookies on a case-by-case basis, accept cookies for certain cases or generally exclude them, and activate the automatic deletion of cookies when closing your browser. You can also delete already placed cookies at any time via your browser and other software programmes. When deactivating cookies, the functionality of this website may be limited.
Duration of the storage of your data
We will only process and store your personal data for as long as this is necessary for the performance of our contractual and legal duties. If the purpose of the storage ceases to apply, your personal data will regularly be erased by us, unless its temporary further processing is necessary for the fulfilment of retention obligations under commercial and tax law or the preservation of evidence within the framework of the statutory limitation provisions.
Data privacy statement for the use of Google Analytics
This website uses functions of website analysis service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website will generally be sent to a Google server in the USA, where it will be stored.
In the event that IP anonymisation is activated on this website, however, your IP address will be shortened beforehand by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only under exceptional circumstances will the full IP address be sent to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, create reports about the website activities, and provide the website operator with further services related to the website use and internet use. The IP address sent by your browser as part of Google Analytics will not be amalgamated with other data by Google.
You can prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out to you that in this case, you may not be able to use all functions of this website to their full extent. You can also prevent the logging of the data generated by the cookie and related to your use of the website (incl. your IP address) from being sent to Google, and the processing of this data by Google, by downloading and installing the browser plugin available via the following link: https://tools.google.com/dlpage/gaoptout.
You will find further information and the applicable data protection terms and conditions of Google (with information about the collection, processing and use of personal data by Google and your protection options in this regard) at https://policies.google.com/privacy and http://www.google.com/analytics/terms/gb.html. Google Analytics is explained in more detail in the following link:https://www.google.com/intl/en_uk/analytics/.
This site uses a plugin of the feature-flagging tool "LaunchDarkly", which is operated by Catamorphic Co. DBA LaunchDarkly, 1714 Franklin Street, Suite 100-140, Oakland, 94612, Canada. Through LaunchDarkly we can unlock or disable features for individual users and/or user groups. After your successful login to the Toniecloud, your browser will establish a secure connection to the LaunchDarkly servers. The plugin sends protocol data to the LaunchDarkly server in Canada. This log data may include your IP address, the address of the websites you visit, and your email address.
This website uses functions of the web analysis service Piwik PRO. The provider is Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany. Piwik PRO uses so-called "cookies". These are text files which are stored on your computer and which allow an analysis of your use of the website. The information generated by the cookies about your use of this website will generally be transmitted to and stored by Piwik PRO on servers in the EU, but if IP anonymisation is activated on this website, your IP address will be truncated by Piwik PRO within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area.
Transfer of personal data outside of our company
Within the framework of our customer service, and the technical and IT/EDP support, we work with order data processors and other external service providers, which receive personal data from us for the processing of customer queries and the provision of technical and IT/EDP support. We also work with other consultancy, sales and marketing companies, and, for example, providers of cloud solutions, which support us in the fulfilment of our contractual tasks and our internal marketing measures. To the extent permitted by law and in consideration of your respective interests worth protecting, an exchange of address and credit details may take place with a recognised third-party company (i.e. Dun & Bradstreet) for the purposes of a credit check. The transfer of your personal data, however, will only take place in all cases described beforehand if this is necessary for the fulfilment of our contractual tasks or for the protection of our legitimate interests, or if you have provided the corresponding permission. The transfer will generally by anonymised. All order data processors and external service providers that work with us have undertaken to protect your data in accordance with the principles of this data privacy statement and the statutory provisions, and to treat it confidentially. If you have any other questions about this topic, please contact our data protection officer at any time using the following contact details:
Mr Stephan Schollmeyer
23617 Stockelsdorf, Germany
Tel: +49 (0)451 16085221
If you do not agree to the passing on of your data, you can object to the transfer. In this case, we will not pass on your personal data unless we can demonstrate compelling legitimate grounds for the transfer that outweigh your interests, rights and freedoms, or unless the transfer is for the assertion, exercise or defence of legal rights. Please direct such an objection to the contact person responsible for the processing whose name and address are given above, or use the contact details in our legal notice. You can also direct objections to the transfer of data for our own marketing to firstname.lastname@example.org.
Your data privacy rights
You have the right at any time to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), object (Art. 21 GDPR) and data portability (Art. 20 GDPR). Regarding the right to access and erasure, the restrictions of § 34 and § 35 BDSG apply. You also have a right to lodge a complaint with a competent data privacy supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
You can withdraw permission you have granted for the processing of personal data from us at any time in accordance with Art. 7(3) GDPR. This also applies for the withdrawal of declarations of consent that were issued to us before the validity of GDPR (in other words, before 25 May 2018). Please note that the withdrawal will only be with future effect. Processing that takes place before the withdrawal is not affected.
INFORMATION ABOUT YOUR RIGHT TO OBJECT IN ACCORDANCE WITH ART. 21 GDPR
IF, WITHIN THE FRAMEWORK OF THE BALANCING OF INTERESTS, WE PROCESS YOUR PERSONAL DATA DUE TO AN OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING, WITH FUTURE EFFECT, FOR REASONS RELATING TO YOUR PARTICULAR SITUATION. IF YOU MAKE USE OF YOUR RIGHT TO OBJECT, WE WILL END THE PROCESSING OF THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO PROCESS IF WE CAN DEMONSTRATE COMPELLING GROUNDS WORTH PROTECTING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FUNDAMENTAL FREEDONS, OR IF THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL RIGHTS. IF YOUR PERSONAL DATA IS PROCESSED BY US FOR OUR OWN MARKETING PURPOSES, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO SUCH PROCESSING. IN THIS CASE, WE WILL NO LONGER USE YOUR PERSONAL DATA FOR MARKETING PURPOSES.
To exercise your data privacy rights, you can contact our data protection officer, or any of our employees. You will find the addresses above under the name and address of the controller responsible for the processing and in our legal notice. You can send objections to the use of your personal data for our own marketing purposes to email@example.com, for example.
Protection of your personal data
We endeavour to take appropriate protective measures to guarantee the security, integrity and confidentiality of the information provided by you. For this reason, we have set up technological security strategies that are intended to protect the personal information about you that is collected by us. Furthermore, we take security measures that are prescribed by the applicable data protection provisions. Your personal data is encrypted and sent via the internet by means of SSL in the order process and in the Toniecloud. We secure our websites and other systems, by means of technical and organisational measures, against the loss, destruction, changing and distribution of, and access to, your data by unauthorised persons.
Access to your customer accounts in the online shop and in the Toniecloud is only possible in each case after entering your personal password. The same applies for the Tonie smart phone app. You should always keep your access information confidential and close the browser window when you have ended your communication with us – particularly if you are using the computer, your tablet or your smart phone jointly with others.
Purposes of the data processing and legal bases
We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG):
a) for the fulfilment of contractual obligations (Art. 6[b] GDPR)
The processing of your personal data takes place primarily for the provision of our contractual services in our online shop and the Toniecloud – in other words, within the framework of the performance of our contracts with our customers and, if necessary, for the implementation of precontractual measures that are taken upon request for our products and services.
b) based on your permission (Art. 6 [a] GDPR)
If you have granted us permission to process your personal data for certain purposes (e.g. sending newsletters), the processing will take place based on this permission. You can withdraw this permission at any time. Such a withdrawal is only valid with future effect and does not affect the legitimacy of the data processed before the withdrawal.
c) due to statutory provisions (Art. 6[c] GDPR)
If we are subject to a legal obligation based on which the processing of personal data is necessary, e.g. for the fulfilment of tax obligations, such processing of personal data will be based on Art. 6[c] GDPR.
d) within the framework of the balancing of interests (Art. 6[f] GDPR, § 7 UWG)
If we process personal data that is not covered by the above legal bases, the processing may also be necessary for the safeguarding of a legitimate interest of our company or a third party, provided that it is not overridden by your interests, fundamental rights and fundamental freedoms. This is the case, for example, if we use your personal data for the marketing of our products, if you have not objected to such a use of your data, or if a potential data exchange takes place with a recognised third-party company (i.e. Dun & Bradstreet) for the purposes of a credit check or during the processing of an order.